The Secret Life of Forgotten Malware C2
(I think I found a new hobby)

Almost daily, we encounter new headlines and blog posts from various researchers and intelligence vendors, highlighting exploits from APT and crimeware groups that utilize custom domains with clever and unique names, such as Pandorasong. But what happens to these domains after they’re publicly named? Do threat actors immediately abandon them? Are they repurposed for future campaigns? And should we continue to monitor these domains in our Threat Intelligence Platforms (TIPs) for intelligence purposes, especially in light of their activities being exposed by open-source intelligence?

This presentation delves into these questions, offering a deep dive from the perspective of a Cyber Threat Intelligence (CTI) analyst and researcher curious about the fate of these domains once they are ‘burned.’ After spending way too much money and time buying up old domains, observing compromised machines still ‘calling home,’ and identifying who else is vying to purchase these domains, the overlooked world of forgotten malware C2 domains has revealed itself to be incredibly fascinating.

Building upon the seminal work of David Bianco’s ‘Pyramid of Pain,’ this talk aims to cast a new light on the threat posed by custom malware domains and the lasting value they offer to both scammers and researchers. It is hoped that industry professionals will come to place a special emphasis on custom malware domains, recognizing their persistent and long-term value to both attackers and defenders.